Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Privacy Vulnerability In IOT Devices: Traffic Rate Metadata (helpnetsecurity.com)

Posted by EditorDavid on from the knowing-when-you're-awake dept.

Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer -- e.g. an ISP, or a neighborhood WiFi eavesdropper -- can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker... "Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested," the researchers noted. [PDF]
In addition, the article notes, "Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard."

1 of 24 comments (clear)

  1. The Mere Existence of Traffic Can Be a Problem by DERoss · · Score: 3, Informative

    If a house with extensive I0T devices is being monitored, the mere existence of Internet traffic can be a serious problem. If such traffic ceases or merely drops, that can be an indicator that no one is home, making the house a target for burglars.

    More than four years ago, this vulnerability was described relative to so-called smart electric meters. The lack of encryption in the signals transmitted by those meters made it even easier to determine which houses should be targeted for burglary. That is because a vacant house might still have a refrigerator running or a lamp left on. With no encryption, the meter readings can be analyzed to determine the amount of electricity being used. Minimal usage means no one is home. The reality of this vulnerability was described in a research paper presented at the 19th ACM Conference on Computer and Communications Security in 2012.